Release Meeting Minutes/2014-08-19
Will Fiveash, Thomas Hardjono, Ken Hornstein, Greg Hudson, Ben Kaduk, Simo Sorce, Zhanna Tsitkov, Tom Yu
Kerberos Day 9/17 as part of MIT-KIT conference. Kerberos ops forum in afternoon.
Ken describes three main classes of local changes he's made:
- Specify mapping from cert to principal. Was matching string inside TL-data, now using string attributes.
- OCSP checking
- Setting HW-PREAUTH on some tickets based on cert policy OIDs (e.g. DOD policy OID for smart card or other hardware token)
Servers can check the HW-PREAUTH flag (via local GSSAPI extensions). Greg mentions that we have talked about split client/server semantics for preauth flags in the KDB. Ken would like a standard interface for applications to look at ticket flags using GSSAPI.
Ken's KDC principal matching rules are a generalization of existing matching rules in the PKINIT client code.
- Deny if OCSP unreachable?
- Local OCSP daemon on KDC host, so not a problem in practice. (later) Yes, we deny if OCSP server is unreachable.
Greg wonders why not a CRL file. Ken says it's better for performance to use an OCSP server, due to size and quantity of CRL files.
Greg says a sub-plugin for PKINIT cert-to-principal mappings is a possibility. Synchronous OCSP check could be OK if the server is local.
Dynamic client principals
There is interest in being able to issue tickets based on preauth from an external identity system (e.g. X.509 PKI) without a corresponding client principal name in the database. This can decrease complications with synchronizing multiple identity stores. Greg also suggests self-service bootstrapping of client principal entries in the KDC starting from a X.509 cert and PKINIT to talk to kadmind. We should get more feedback from operators about this idea.
krb5-1.13-alpha1 probably later this week. Final release probably second week of October.